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Terrorist  Capabilities  for  Cyberattack: 
Overview  and  Policy  Issues 


Summary 

Tighter  physical  and  border  security  may  encourage  terrorists  and  extremists  to 
try  to  use  other  types  of  weapons  to  attack  the  United  States.  Persistent  Internet  and 
computer  security  vulnerabilities,  which  have  been  widely  publicized,  may  gradually 
encourage  terrorists  to  develop  new  computer  skills,  or  develop  alliances  with 
criminal  organizations  and  consider  attempting  a  cyberattack  against  the  U.S .  critical 
infrastructure. 

Cybercrime  increased  dramatically  between  2004  and  2005,  and  several  recent 
terrorist  events  appear  to  have  been  funded  partially  through  online  credit  card  fraud. 
Reports  indicate  that  terrorists  and  extremists  in  the  Middle  East  and  South  Asia  may 
be  increasingly  collaborating  with  cybercriminals  for  the  international  movement  of 
money,  and  for  the  smuggling  of  arms  and  illegal  drugs.  These  links  with  hackers 
and  cybercriminals  may  be  adding  to  terrorists’  computer  skills,  and  finances 
obtained  through  drug  trafficking  may  also  provide  terrorists  with  access  to  highly 
skilled  computer  programmers.  The  July,  2005  subway  and  bus  bombings  in 
England  also  indicate  that  extremists  and  their  sympathizers  may  already  be 
embedded  in  societies  with  a  large  information  technology  workforce. 

The  United  States  and  international  community  have  taken  steps  to  coordinate 
laws  to  prevent  cybercrime,  but  if  trends  continue  computer  attacks  will  become 
more  numerous,  faster,  and  more  sophisticated.  In  addition,  a  recent  report  by  the 
Government  Accountability  Office  states  that,  in  the  future,  U.S.  government 
agencies  may  not  be  able  to  respond  effectively  to  such  attacks. 

This  report  examines  possible  terrorists’  objectives  and  computer  vulnerabilities 
that  might  lead  to  an  attempted  cyberattack  against  the  critical  infrastructure  of  the 
U.S.  homeland,  and  also  discusses  the  emerging  computer  and  other  technical  skills 
of  terrorists  and  extremists.  Policy  issues  include  exploring  ways  to  improve 
technology  for  cybersecurity,  or  whether  U.S.  counterterrorism  efforts  should  be 
linked  more  closely  to  international  efforts  to  prevent  cybercrime. 

This  report  will  be  updated  as  events  warrant. 
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Terrorist  Capabilities  for  Cyberattack: 
Overview  and  Policy  Issues 


Introduction 


Terrorists  and  violent  extremists  often  rely  on  exploiting  vulnerabilities  of 
targets  seen  as  soft  and  easy  to  access.  Implementation  of  a  stronger  policy  for 
domestic  physical  security  has  reduced  some  options  for  physical  attack,  and  it  is 
suggested  by  numerous  experts  that  terrorists  may  be  developing  new  computer  skills 
or  forming  alliances  with  cybercriminals  that  may  give  them  access  to  high  level 
computer  skills.  In  addition,  continuing  publicity  about  Internet  computer  security 
vulnerabilities  may  encourage  terrorists’  interest  in  attempting  a  possible  computer 
network  attack,  or  cyberattack,  against  U.S.  critical  infrastructure. 

To  date,  the  Federal  Bureau  of  Investigation  (FBI)  reports  that  cyberattacks 
attributed  to  terrorists  have  largely  been  limited  to  unsophisticated  efforts  such  as 
email  bombing  of  ideological  foes,  or  defacing  of  web  sites.  However,  it  says  their 
increasing  technical  competency  is  resulting  in  an  emerging  capability  for  network- 
based  attacks.  The  FBI  has  predicted  that  terrorists  will  either  develop  or  hire 
hackers  for  the  purpose  of  complimenting  large  conventional  attacks  with 
cyberattacks.1 

IBM  has  reported  that,  during  the  first  half  of  2005,  criminal-driven  computer 
security  attacks  increased  by  50  percent,  with  government  agencies  and  industries  in 
the  United  States  targeted  most  frequently.2  Cybercrime  is  now  a  major  criminal 
activity,  and  it  may  become  increasingly  difficult  to  separate  some  forms  of 
cybercrime  from  suspected  terrorist  activities.  For  example,  in  a  recent  report  from 
the  House  Homeland  Security  Committee,  FBI  officials  indicated  that  extremists 
have  used  identity  theft  and  credit  card  fraud  to  support  recent  terrorist  activities  by 
A1  Qaeda  cells.3  Also,  according  to  press  reports  Indonesian  police  officials  believe 


1  Keith  Lourdeau,  FBI  Deputy  Assistant  Director,  testimony  before  the  U.S.  Senate 
Judiciary  Subcommittee  on  Terrorism,  Technology,  and  Homeland  Security,  February  24, 
2004. 

2  IBM  Press  Release,  Government,  financial  services  and  manufacturing  sectors  top  targets 

of  security  attacks  in  first  half  of  2005,  August,  2,  2005, 

[http://www.ibm.com/news/ie/en/2005/08/ie_en_news_20050804.html], 

3  According  to  FBI  officials,  A1  Qaeda  terrorist  cells  in  Spain  used  stolen  credit  card 
information  to  make  numerous  purchases.  Also,  the  FBI  has  recorded  more  than  9.3  million 
Americans  as  victims  of  identity  theft  in  a  12  month  period;  June,  2005.  Report  by  the 
Democratic  Staff  of  the  House  Homeland  Security  Committee,  Identity  Theft  and  Terrorism, 

(continued...) 
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the  2002  terrorist  bombings  in  Bali  were  partially  financed  through  online  credit  card 
fraud.4 

Some  experts  reportedly  state  that  the  Internet  is  now  a  prime  recruiting  tool  for 
insurgents  in  Iraq.5  Insurgents  have  created  many  Arabic-language  Web  sites  that  are 
said  to  contain  coded  plans  for  new  attacks.  Some  reportedly  give  advice  on  how  to 
build  and  operate  weapons,  and  how  to  pass  through  border  checkpoints.6  Other 
news  articles  report  that  a  younger  generation  of  terrorists  and  extremists,  such  as 
those  behind  the  July  2005  bombings  in  London,  are  learning  new  technical  skills  to 
help  them  avoid  detection  by  law  enforcement  computer  technology.7 

This  report  reviews  publications  and  government  reports  to  explore  the 
following:  (1)  examples  of  vulnerabilities  that  may  raise  the  level  of  interest  that 
terrorists  might  have  in  attempting  a  coordinated  cyberattack;  (2)  effects  of  the  War 
on  Terror  that  are  driving  terrorists  to  use  the  Internet  more;  (3)  inconsistent  reporting 
about  terrorists’  cyber  activities;  and  (4)  ways  that  terrorists  may  be  improving  their 
cyber  skills. 


Background 

Distinctions  between  crime,  terrorism  and  war  tend  to  blur  when  attempting  to 
describe  a  computer  network  attack  (CNA)  in  ways  that  parallel  the  physical  world. 
For  example,  if  a  nation  state  were  to  secretly  sponsor  non-state  actors  who  initiate 
a  CNA  to  support  terrorist  activities  or  to  create  economic  disruption,  the  distinction 
between  cybercrime  and  cyberwar  becomes  less  clear.  Because  it  is  difficult  to  tell 
from  where  a  cyberattack  originates,  an  attacker  may  direct  suspicion  toward  an 
innocent  third  party.  Likewise,  the  interactions  between  terrorists  and  criminals  who 
use  computer  technology  may  sometimes  blur  the  distinction  between  cybercrime  and 
cyberterrorism.  So  far,  it  remains  difficult  to  determine  the  sources  responsible  for 
most  of  the  annoying,  yet  increasingly  sophisticated  attacks  that  plague  the  Internet. 


3  (...continued) 

July  1,  2005,  p.  10. 

4  Alan  Sipress,  An  Indonesian’s  Prison  Memoir  Takes  Holy  War  Into  Cyberspace, 
Washington  Post,  December  14,  2004,  A19. 

5  Jonathan  Curiel,  TERROR.  COM:  Iraq ’s  tech-savvy  insurgents  are  finding  supporters  and 
luring  suicide-bomber  recruits  over  the  Internet,  San  Francisco  Chronicle,  July  10,  2005, 
[http://www. sfgate.com/cgi-bin/article.cgi  ?f=/c/a/2005/07/10/CURIEL.TMP], 

6  Jonathan  Curiel,  Iraq’s  tech-savvy  insurgents  are  finding  supporters  and  luring  suicide- 
bomber  recruits  over  the  Internet,  San  Francisco  Chronicle,  July  10,  2005,  A.01. 

7  Michael  Evans  and  Daniel  McGrory,  Terrorists  Trained  in  Western  Methods  Will  Leave 
Few  Clues,  London  Times,  July  12,  2005. 


CRS-3 


When  is  Cyberattack  Considered  Cyberterrorism? 

Some  observers  feel  that  the  term  “Cyberterrorism' ’  is  inappropriate,  because  a 
widespread  cyberattack  may  simply  produce  annoyances,  not  terror,  as  would  a 
bomb,  or  other  chemical,  biological,  radiological,  or  nuclear  explosive  (CBRN) 
weapon.  However,  others  believe  that  the  effects  of  a  widespread  computer  network 
attack  would  be  unpredictable  and  might  cause  enough  economic  disruption,  fear, 
and  civilian  deaths,  to  qualify  as  terrorism.  At  least  two  views  exist  for  defining  the 
term  Cyberterrorism: 

•  Effects-based:  Cyberterrorism  exists  when  computer  attacks  result 
in  effects  that  are  disruptive  enough  to  generate  fear  comparable  to 
a  traditional  act  of  terrorism,  even  if  done  by  criminals. 

•  Intent-based:  Cyberterrorism  exists  when  unlawful  or  politically 
motivated  computer  attacks  are  done  to  intimidate  or  coerce  a 
government  or  people  to  further  a  political  objective,  or  to  cause 
grave  harm  or  severe  economic  damage.8 

Objectives  for  a  Cyberattack 

According  to  Richard  Clarke,  former  Administration  Counter  Terrorism  Advisor 
and  National  Security  Advisor,  if  terrorists  were  to  launch  a  widespread  cyberattack 
against  the  United  States,  the  economy  would  be  the  intended  target  for  disruption, 
while  death  and  destruction  might  be  considered  collateral  damage.9  Many  security 
experts  also  agree  that  a  cyberattack  would  be  most  effective  if  it  were  used  to 
amplify  a  conventional  bombing  or  CBRN  attack.  Some  computer  security  observers 
say  that  a  widespread,  coordinated  cyberattack  would  technically  be  very  difficult 
to  orchestrate,  and  would  unlikely  be  effective  for  furthering  terrorists’  goals. 
Because  such  an  attack  cannot  directly  cause  death  and  destruction,  may  explain  why 
there  is  no  evidence  that  terrorist  groups  have  undertaken  one.10  However,  other 
observers  say  that,  because  of  interdependencies  among  infrastructure  sectors,  a 
large-scale  cyberattack  that  affected  one  sector  could  also  have  disruptive, 


8  For  a  more  in-depth  discussion  of  the  definition  of  cyberterrorism,  see  CRS  Report, 
RL32114,  Computer  Attack  and  Cyberterrorism:  Vulnerabilities  and  Policy  Issues  for 
Congress. 

9  Kevin  Rademacher  reporting  remarks  of  Richard  Clarke  at  CardTech/SecurTech  security 

conference  April  2005,  Clarke:  ID  theft  prevention  tied  to  anti-terrorism  efforts.  Las  Vegas 
Sun,  April  13,  2005,  [http://www.lasvegassun.com/sumbin/stories/text/2005/ 

apr/13/5 18595803.html], 

10  Joris  Evers,  Does  Cyberterrorism  Pose  a  True  Threat?,  PCWorld,  March  14,  2003, 
[http://www.peworld.eom/news/article/0.aid,  1098 1 9,00.asp] .  Joris  Evers,  reporting  remarks 
by  Bruce  Schneier  at  CeBIT  technology  trade  show  in  March  2003,  Cyberterror 
Threat  Overblown,  Computerworld,  March  14,  2003,  [http://www.computeworld,com/ 
printthis/2003/0,48 14,79368, 00.html].  Gabriel  Weimann ,  Special  Report  -  Cyberterrorism: 
How  Real  is  the  Threat?,  United  States  Institute  of  Peace,  Washington,  D.C.,  May  2004. 
Dan  Ilett  reporting  remarks  of  Richard  Clarke  at  the  Oxford  University  Internet  Institute  in 
February  2005,  Clarke  joins  latest  cyberterror  debate,  ZDNet  UK,  February  11,  2005, 
[http://www.zdnet.co.uk/print/?TYPE=story&AT=39187582-39020375t-10000025c]. 
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unpredictable,  and  perhaps  devastating  effects  on  other  sectors,  and  possibly  long- 
lasting  effects  to  the  economy.  These  observers  assert  A1  Qaeda  and  associated 
terrorist  groups  are  becoming  more  technically  sophisticated,  and  years  of  publicity 
about  computer  security  weaknesses  has  made  them  aware  that  the  U.S.  economy 
could  be  vulnerable  to  a  coordinated  cyberattack.11 

Publicity  would  be  also  one  of  the  primary  objectives  for  a  terrorist  attack. 
Extensive  coverage  has  been  given  to  the  vulnerability  of  the  U.S.  information 
infrastructure  and  to  the  potential  harm  that  could  be  caused  by  a  cyberattack.  This 
might  lead  terrorists  to  feel  that  even  a  marginally  successful  cyberattack  directed  at 
the  United  States  may  garner  considerable  publicity.12 

Persistent  Computer  Security  Vulnerabilities 

At  the  July  2005  Black  Hat  computer  security  conference  (a  private  sector 
sponsored  annual  meeting  of  organizations  focused  on  cyber-security  technology  and 
related  issues)  Las  Vegas,  a  security  expert  demonstrated  an  exploit  of  what  many 
consider  to  be  a  significant  Internet  security  flaw,  by  showing  how  the  most 
commonly  used  Internet  routers;  the  computer’s  device  that  forwards  data  to  a 
desired  destination,  could  quickly  be  hacked.13  This  router  vulnerability  could  allow 
an  attacker  to  disrupt  selected  portions  of  the  Internet,  or  even  target  specific  groups 
of  banks  or  power  stations.14  Security  expert  Bruce  Schneier,  a  recent  critic  of  the 
idea  of  cyberterrorism,  reportedly  agreed  that  the  router  flaw  was  a  “major”  Internet 
security  vulnerability,  and  could  allow  criminals  to  steal  identity  information,  or 
otherwise  attack  networks.  The  company  released  in  April  2005  a  software  patch 
to  fix  the  problem,  but  over  the  following  four  months,  had  apparently  not  notified 
its  customers  and  government  agencies,  including  DHS,  about  the  seriousness  of  the 
vulnerability.15 


11  Dan  Verton,  Black  Ice:  The  Invisible  Threat  of  Cyber-Terrorism,  McGraw-Hill,  2003, 
p.l  10.  Keith  Lourdeau,  Deputy  Assistant  Director  of  the  FBI  Cyber  Division,  testimony 
before  the  Senate  Judiciary  Subcommittee  on  Terrorism,  Technology  and  Homeland 
Security,  February  24,  2004.  Ryan  Naraine  reporting  remarks  of  Roger  Cressey  at  Infosec 
World  2005,  Cyber-Terrorism  Analyst  Warns  Against  Complacency,  eWEEK.com,  April 
4,  2005,  [http://www.eweek.eom/article2/0, 1759, 1782288,00.asp]. 

12  The  Electronic  Intrusion  Threat  to  National  Security  and  Emergency  Preparedness 

(NS/EP)  Internet  Communications,  Office  of  the  Manager,  National  Communications 
System,  December  2000,  p.31,  [http://www.ncs.gov/library/reports/electron 

ic_intrusion_threat2000_final2.pdf]. 

13  Amy  Storer,  Update:  IPv6  risks  may  outweigh  benefits,  SearchSecurity.com, 

July  29,  2005,  [http://searchsecurity.techtarget.eom/originalContent/0.2 

89142, sidl4_gcil  1 12459, 00.html?track=NL-358&ad=525032USCA], 

14  Victor  Garza,  Security  researcher  cause  furor  by  releasing  flaw  in  Cisco  Systems  IOS, 

SearchSecurity.com,  July  28,  2005,  [http://searchsecurity.techtarget.com/ori 

ginalContent/0,289142,sidl4_gcil  1 1 1389.00.html]. 

15  Justin  Rood,  Cisco  Failed  to  Alert  DHS,  Other  Agencies  About  Software  Security  Flaw, 

CQ  Homeland  Security,  August  2,  2005,  [http://homeland.cq.eom/hs/display.d 

o?docid=l  8 10432&sourcetype=3  l&binderName=news-all]. 
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The  United  States  may  provide  ample  economic  targets  vulnerable  to 
cyberattack,  thus  tempting  terrorist  groups  to  increase  their  cyber  skills. 16  A  February 
2005  report  by  the  President’s  Information  Technology  Committee  (PITAC)  stated 
that  the  information  technology  infrastructure  of  the  United  States,  which  is  vital  for 
communication,  commerce,  and  control  of  the  physical  infrastructure,  is  highly 
vulnerable  to  terrorist  and  criminal  attacks.  The  report  also  found  that  the  private 
sector  has  an  important  role  in  protecting  national  security  by  deploying  sound 
security  products,  and  by  adopting  good  security  practices.17  However,  a  recent 
survey  of  136,000  PCs  used  in  251  commercial  businesses  in  North  America  found 
that  a  major  security  software  patch,  known  as  SP2,  was  installed  on  only  nine 
percent  of  the  systems,  despite  the  fact  that  Microsoft  advertized  the  importance  of 
installing  the  security  patch  one  year  ago.  The  remaining  91  percent  of  commercial 
businesses  surveyed  will  continue  to  be  exposed  to  major  security  threats  until  they 
deploy  the  software  patch  throughout  their  organizations.18  This  may  bring  into 
question  the  extent  to  which  the  private  sector  will  self-protect  without  greater 
incentive. 

Several  recent  studies  by  global  computer  security  firms  found  that  the  highest 
rates  for  computer  attack  activity  were  directed  against  critical  infrastructures,  such 
as  government,  financial  services,  manufacturing,  and  power.  These  reports  also 
show  that  the  United  States  is  the  most  highly  targeted  nation  for  computer  attacks; 
during  the  first  half  of  2005,  United  States  computer  systems  were  attacked  at  a  rate 
10  times  higher  than  the  next  most  highly  targeted  nation,  China  (see  section  titled 
“Trends  in  Cybercrime”,  below).19  U.S.  federal  agencies  have  come  under  criticism 
in  past  years  for  the  effectiveness  of  their  computer  security  programs.20  Further,  a 
May  2005  report  by  the  Government  Accountability  Office  (GAO)  stated  that 


16  Dan  Verton,  Black  Ice:  The  Invisible  Threat  of  Cyber-Terrorism,  McGraw-Hill,  2003, 

p.110. 

17  The  President’ s  Information  Technology  Advisory  Committee,  Cyber  Security:  A  Crisis 

of  Prioritization,  Report  to  the  President,  February  2005,  p.25, 

[http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf]. 

18  John  Foley,  Businesses  Slow  to  Deploy  Windows  XP  SP2,  Information  Week,  April  26, 
2005,  p.26. 

19  IBM  News,  Report  finds  online  attacks  shift  toward  profit,  August  2,  2005, 
[http://www.ibm.com/news/us/en/2005/08/2005_08_02.html].  Symantec  Press  Release, 
Symantec  Internet  Security  Threat  Report  Highlights  Rise  In  Threats  To  Confidential 
Information,  March  21,  2005,  [http://www.symantec.com/press/2005/n050321.html]. 

211  Based  on  2002  data  submitted  by  federal  agencies  to  the  White  House  Office  of 
Management  and  Budget,  GAO  noted,  in  testimony  before  the  House  Committee  on 
Government  Reform  (GAO-03-564T,  April  8,  2003),  that  all  24  agencies  continue  to  have 
“significant  information  security  weaknesses  that  place  a  broad  array  of  federal  operations 
and  assets  at  risk  of  fraud,  misuse,  and  disruption.”,  Christopher  Lee,  November  20,  2002, 
Agencies  Fail  Cyber  Test:  Report  Notes  ‘Significant  Weaknesses’  in  Computer  Security, 
[http://www.washingtonpost.com/ac2/wp-dyn/Al  232  l-2002Novl9?language=printer.] 
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because  of  the  growing  sophistication  of  malicious  code  on  the  Internet,  the  federal 
government  may  increasingly  be  limited  in  its  ability  to  respond  to  cyber  threats.21 

Effects  of  Counterterrorism  Efforts 

DHS  has  reportedly  suggested  that  terrorist  groups  may  be  forced,  because  of 
increased  security  measures,  to  change  the  weapons  they  try  to  use  to  strike  against 
the  United  States.22  Many  observers  that  monitor  the  Internet  suggest  that  due  to  the 
effects  of  intensified  counterterrorism  efforts  worldwide,  Islamic  extremists  are 
gravitating  toward  the  Internet,  and  are  succeeding  in  organizing  online  where  they 
have  been  failing  in  the  physical  world.  Terrorist  groups  increasingly  use  online 
services  for  covert  messaging,  through  steganography,  anonymous  email  accounts, 
and  encryption.23 

The  Washington  Times  has  reported  that  Islamic  extremists  are  calling  for 
creation  of  an  Islamist  hackers’  army  to  plan  cyberattacks  against  the  U.S. 
government  and  that  postings  on  the  extremist  bulletin  board,  al-Farooq,  carry 
detailed  cyberattack  instructions,  and  include  spyware  programs  for  download  that 
can  be  used  to  learn  the  passwords  of  targeted  users.24  Other  extremist  web  sites 
reportedly  resemble  online  training  camps  that  may  offer  instructions  for  how  to 
create  a  safe-house,  how  to  clean  a  rocket-propelled  grenade  launcher,  or  what  to  do 
if  captured.25 

Changing  Concerns  about  Cyberattack,  2001-2005 

Following  the  September  1 1  attacks,  public  concerns  were  high  about  the  threat 
of  a  possible  follow-on  cyberattack  from  terrorist  groups.26  Subsequently,  there  has 
been  disagreement  among  security  experts  about  (1)  whether  such  an  attack  could 


21  GAO  report  05-231,  Information  Security;  Emerging  Cybersecurity  Issues  Threaten 
Federal  Information  Sy stems.  May  2005. 

22  Eric  Lipton,  Homeland  Report  Says  that  Threat  From  Terror-List  Nations  Is  Declining, 
The  New  York  Times,  March  31,  2005,  Section  A,  P.9. 

23  Terrorist  suspects  are  reportedly  using  encryption  techniques  to  prevent  police  from 

accessing  vital  intelligence  on  seized  computers,  according  to  U.K.  police.  Stewart  Tendler, 
Encrypted  files  frustrate  police,  Times  Online,  July  20,  2005, 

[http://teehnology.timesonline.co.Uk/aiticle/0,, 20409-  1701405.00.html].  See CryptoHaven, 
[http://www.cryptoheaven.com/],  and  SecretMaker,  [http://www.secretmaker.com/ 
emailsecurer/steganography/default.html], 

24  Shaun  Waterman,  Islamists  Seek  To  Organize  Hackers  ’  Jihad  in  Cyberspace,  August  26, 
2005,  Washington  Times,  p.9. 

25  Tom  Spring,  Al  Qaeda’s  Tech  Traps,  PCWorld,  September  1,  2004, 
[http://www.pcworld.eom/news/article/0,  aid,  117658 ,00.  asp] . 

26  In  July  2002,  Gartner  Research  and  the  U.S.  Naval  War  College  hosted  a  three -day, 
seminar-style  war  game  called  “Digital  Pearl  Harbor”  (DPH),  with  the  result  that  79  percent 
of  the  gamers  said  that  a  strategic  cyberattack  against  the  United  States  was  likely  within  the 
next  two  years.  Gartner  Research,  ‘Digital  Pearl  Harbor’:  Defending  Your  Critical 
Infrastructure,  October  4,  2002,  [http://www.gartner.eom/pages/story.php.id.2727.s.8.jsp]. 
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possibly  be  launched  by  terrorists  against  U.S.  civilian  critical  infrastructure,  or  (2) 
whether  such  an  attack  could  seriously  disrupt  the  U.S.  economy.27 

Simulated  cyberattacks,  conducted  by  the  U.S.  Naval  War  College  in  2002, 
indicated  that  attempts  to  cripple  the  U.S.  telecommunications  infrastructure  would 
be  unsuccessful  because  system  redundancy  would  prevent  damage  from  becoming 
too  widespread.  Many  observers  suggest  that  evidence  from  natural  disasters  shows 
that  many  the  critical  infrastructure  systems,  including  banking,  power,  water,  and 
air  traffic  control,  would  likely  recover  rapidly  from  a  possible  cyberattack.28 

To  date,  there  has  been  no  published  report  of  a  coordinated  cyberattack 
launched  against  the  critical  infrastructure  by  a  terrorist  or  terrorist  group.  Dennis 
McGrath  of  the  Institute  of  Security  Technology  Studies  at  Dartmouth  College 
reportedly  observed  that,  “We  hear  less  and  less  about  a  digital  Pearl  Harbor. 
Cyberterrorism  is  not  at  the  top  of  the  list  of  discussions”.29 

In  May  2005,  the  CIA  reportedly  conducted  a  classified  war  game,  dubbed 
“Silent  Horizon,”  to  practice  defending  against  a  simulated  widespread  cyberattack 
directed  against  the  United  States.  The  national  security  simulation  was  considered 
significant  because  many  U.S.  counterterrorism  experts  feel  that  far-reaching  effects 
from  a  cyberattack  are  highly  unlikely.30  However,  other  observers  believe  that  tests 
of  countermeasures,  even  for  unlikely  events,  may  sometimes  be  prudent. 

Inconsistent  Reporting  of  Terrorists’  Cyber  Activities 

A  review  of  two  annual  U.S.  government  reports  on  terrorism  activity  shows 
inconsistent  attention  to  the  issue  of  possible  cyberterrorism.  31  Two  federal  agencies 
report  on  terrorism  activity  annually:  (1)  the  Department  of  State’s  (DoS)  Patterns 


27  Robert  Gates,  former  CIA  director,  warned  that  the  threat  of  cyberterrorism  should  be 
taken  particularly  seriously.  Keith  Lourdeu,  deputy  assistant  director  of  the  FBI  Cyber 
Division,  stated  that  “our  networked  systems  make  inviting  targets  for  terrorists  due  to  the 
potential  for  large-scale  impact  on  the  nation.”  Douglas  Schweitzer,  Be  Prepared  for 
Cyberterrorism,  Computerworld,  April  6, 2005.  However,  others  believe  that  infrastructure 
systems  are  robust  and  could  recover  quickly.  Richard  Forno,  Shredding  the  Paper  Tiger 
of  Cyberterrorism,  Security  Focus,  September  25,  2002,  [http://www.securityfocus.com/ 
printable/columnists/111].  See  also,  CRS  Report  321 14,Computer  Attack  and 
Cyberterrorism:  Vulnerabilities  and  Policy  Issues  for  Congress. 

28  Scott  Nance,  Debunking  Fears:  Exercise  Finds  ‘ Digital  Pearl  Harbour’  Risk  Small , 
Defense  Week,  April7, 2003,  [http://www.kingpublishing.com/publications/dw/].  William 
Jackson,  War  College  Calls  Digital  Pearl  Harbor  Doable ,  Government  Computer  News, 
August  23,  2002,  [http://www.gcn.com/voll_nol/daily-updates/19792-l.html]. 

29  CIA  Overseeing  3  Day  Wargame  on  Internet,  Associated  Press ,  May  25,  2005. 

30  Ted  Bridis,  ‘Silent  Horizon’  war  games  wrap  up  for  the  CIA ,  USA  Today,  May  26, 2005, 
[http://www.usatoday.com/tec  h/news/techpolicy/2005-05-26-cia-wargames_x.htm]. 

31  John  Rollins,  Specialist  in  Terrorism  and  International  Crime,  Congressional  Research 
Service,  August  2005. 
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of  Global  Terrorism 32  and,  (2)  the  Federal  Bureau  of  Investigation’s  Annual 
Terrorism  in  the  United  States.33 

In  the  DoS  reports  for  the  years  1996  to  1999,  brief  mention  is  made  of 
cyberterrorism  issues.  In  the  year  2000,  the  report  acknowledges  that  “widespread 
availability  of  hacking  software  and  its  anonymity  and  increasingly  automated  design 
make  it  likely  that  terrorists  will  more  frequently  incorporate  these  tools  into  their 
online  activity.”  In  2001,  however,  no  mention  of  cyberterrorism  issues  appeared  in 
the  DoS  report,  and  for  the  years  2002  to  2004,  only  mentions  of  various  security 
forums  and  international  cybersecurity  working  groups  were  noted. 

The  FBI’s  Annual  Terrorism  Report  similarly  was  inconsistent  in  mentioning 
cyberterrorism  issues.  In  the  1996  and  1997  reports,  there  was  no  mention  of 
cyberterrorism  or  related  activity.  In  1 998  the  report  acknowledged  that  “cyber  tools 
may  find  their  way  in  the  hands  of  terrorist”  and  speculated  that  “the  spread  of 
cyberattack  tools,  like  the  proliferation  of  conventional  weapon  technology  may 
eventually  wind  up  in  the  hands  of  terrorists”.  The  following  year,  1999,  the  Report 
stated  that  “the  threat  of  cyberterrorism  will  grow  in  the  new  Millennium,  as  the 
leadership  positions  in  extremist  organizations  are  increasingly  filled  with  younger, 
Internet-savvy  individuals”.  These  two  reports  arguably  suggested  that  the  issue  of 
cyberterrorism  was  being  followed  closely.  The  Reports  from  2000  to  2003 
mentioned  cyberterrorism,  but  only  in  the  programmatic  aspect  regarding 
organizational  changes  the  FBI  was  putting  in  place  to  address  cybersecurity,  with 
no  mention  of  past  or  projected  cyberterrorism  incidents  or  issues.  The  FBI  did  not 
produce  a  report  in  2004,  and  one  is  not  yet  due  for  2005. 

Since  the  attacks  of  9/1 1,  many  observers  are  concerned  that  increased  efforts 
to  safeguard  facilities,  infrastructure,  personnel  safety,  and  the  decrease  in  the  DoS’  s 
and  FBI’s  discussion  of  cybersecurity  issues,  together  may  indicate  a  lack  of 
appreciation  for  the  threat  that  may  be  facing  the  United  States  from  possible 
cyberterrorism.  Others  suggest  that  although  the  frequency  and  severity  of 
cyberattacks  are  on  the  rise,  the  federal  government  may  not  be  sufficiently 
increasing  its  efforts  to  improve  cybersecurity.34 

Technical  Skills  of  Terrorists 

In  April  2002,  the  Central  Intelligence  Agency  (CIA)  stated  in  a  letter  to  the 
U.S.  Senate  Select  Committee  on  Intelligence  that  cyberwarfare  attacks  against  the 
U.S.  critical  infrastructure  will  become  a  viable  option  for  terrorists  as  they  become 
more  familiar  with  the  technology  required  for  the  attacks.  Also  according  to  the 


32  “Country  Reports  on  Terrorism”  is  submitted  in  compliance  with  Title  22  of  the  United 
States  Code,  Section  2656(f)  which  requires  the  Department  of  State  to  provide  Congress 
with  a  full  and  complete  annual  report  on  terrorism  for  those  countries  and  groups  meeting 
the  criteria  of  Section  (a)(1)  and  (2)  of  the  Act.,  [http://www.state.gOv/s/ct/rls/cl4812.htm], 

33  http://www.fbi.gov/publications.htm 

34  GAO  report  05-231,  Information  Security;  Emerging  Cybersecurity  Issues  Threaten 
Federal  Information  Sy stems,  May  2005. 
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CIA,  various  groups,  including  A1  Qaeda  and  Hizballah,  are  becoming  more  adept 
at  using  the  Internet  and  computer  technologies,  and  these  groups  could  possibly 
develop  the  skills  necessary  for  a  cyberattack.35 

Through  captured  literature,  it  is  known  that  many  A1  Qaeda  members  are  well 
educated,  and  have  familiarity  with  engineering  and  other  technical  areas.36  During 
a  November  2001  attack  by  U.S.  forces,  A1  Qaeda  fighters  fled  from  Kabul, 
Afghanistan  leaving  behind  many  documents  and  sensitive  information  that  yielded 
a  profile  of  some  A1  Qaeda  operatives  as  well-educated  and  trained  in  the  use  of 
computer  systems.  “Technical  treatises  in  Arabic,  English,  German  as  well  a 
students’  notebooks  in  Arabic,  Turkish,  Kurdish,  and  Russian  reflected  a  consistent 
interest  in  and  widespread  familiarity  with  electrical  and  chemical  engineering, 
atomic  physics,  ballistics,  computers,  and  radios”,  according  to  researchers  and 
journalists  who  reportedly  examined  the  documents.37 

Iman  Samudra,  convicted  and  now  awaiting  execution  for  taking  part  in  the 
2002  bombings  of  two  Bali  nightclubs,  has  written  a  book  titled  “Aku  Mekawan 
Terroris!”,  which  reportedly  translates  to  “Me  Against  the  Terrorist”.  Samudra 
advocates  that  Muslim  youth  actively  develop  hacking  skills  “to  attack  U.S.  computer 
networks”.  Samudra  names  several  websites  and  chat  rooms  as  sources  for 
increasing  hacking  skills.  He  urges  Muslim  youth  to  obtain  credit  card  numbers  and 
use  them  to  fund  the  struggle  against  the  United  States  and  its  allies.38  The  terrorist 
attacks  in  Bali,  and  recent  attacks  in  several  other  countries,  may  have  been  funded 
through  stolen  credit  cards.39 

In  February  2005 ,  FBI  director  Robert  Mueller,  testified  before  the  Senate  Select 
Committee  on  Intelligence  that  terrorists  show  a  growing  understanding  of  the  critical 
role  of  information  technology  in  the  U.S.  economy  and  have  expanded  their 
recruitment  to  include  people  studying  math,  computer  science,  and  engineering.40 


35  Dan  Verton,  Black  Ice:  The  Invisible  Threat  of  Cyberterrorism,  McGraw-Hill,  2003,  p.  87. 

36  Tom  Spring,  Al  Qaeda’s  Tech  Traps,  PC  World,  September  1,  2004, 
[http://www.pcworld.eom/news/article/0.aid,  117658 ,00.  asp] . 

37  Anthony  Davis,  The  Afghan  files:  Al-Qaeda  documents  from  Kabul,  Jane’s  Intelligence 
Review,  February  1,  2002. 

38  FBI  Report  FEA2004 1222000744,  version  17,  Convicted  Indonesian  Terrorist  Calls  for 

Computer  Hacking,  Jihad  Against  US,  December  4,  2004, 

[https://www.fbis.gov/portal/server.pt/gateway/PTARGS_0_22439_246_203_0_43/http 
%3B/apps.fbis.gov%3B701  l/fbis.gov/search/Search?action=viewDocument&holding=5 
051585], 

39  Richard  Clarke,  former  counterterrorism  advisor  for  Presidents  George  W.  Bush  and  Bill 

Clinton,  stated  that  we  are  vulnerable  to  people  who  would  use  our  identities  against  us. 
Kevin  Rademacher,  Clarke:  ID  theft  prevention  tied  to  anti-terrorism  efforts,  Las  Vegas 
Sun,  April  13,  2005  [http://www.lasvegassun.com/sunbin/stories/text/20 

05/apr/ 1 3/5 1 8595  803  .html] . 

40  Testimony  before  the  Senate  Select  Committee  on  Intelligence,  February  16,  2005. 
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Trends  in  Cybercrime 

According  to  an  August  2005  computer  security  report  by  IBM,  more  than  237 
million  overall  security  attacks  were  reported  globally  during  the  first  half  of  the 
year.41  Government  agencies  were  targeted  the  most,  reporting  more  than  54  million 
attacks,  while  manufacturing  ranked  second  with  36  million  attacks,  financial 
services  ranked  third  with  approximately  34  million,  and  healthcare  received  more 
than  17  million  attacks.  The  most  frequent  targets  for  these  attacks,  all  occurring  in 
the  first  half  of  2005,  were  government  agencies  and  industries  in  the  United  States 
(12  million),  followed  by  New  Zealand  (1.2  million),  and  China  (1  million).  These 
statistics  may  represent  an  underestimation,  given  that  most  security  analysts  agree 
that  the  number  of  incidents  reported  are  only  a  small  fraction  of  the  total  number  of 
attacks  that  actually  occur. 

Usually,  a  cyberattack  is  difficult  to  detect  until  after  it  is  well  underway,  and 
may  involve  hundreds  or  thousands  of  compromised  computers  that  are  directed  by 
a  cybercriminal  to  attack  as  a  swarm  from  all  parts  the  globe.  If  the  attack  is  against 
a  yet-undisclosed,  or  newly-discovered  security  vulnerability,  the  targeted  computer 
systems  may  be  at  a  significant  disadvantage.  Most  current  computer  security 
safeguards  operate  mainly  to  prevent  the  types  of  attacks  that  are  known  to 
administrators.  A  new,  unique  type  of  attack  against  computers  may  encounter 
inadequate,  untested,  or  non-existent  defenses. 

A  2004  survey  by  an  internet  security  company,  covering  450  networks  in  35 
countries,  found  that  hacking  had  become  a  profitable  criminal  pursuit.42  Hackers 
sell  unknown  computer  vulnerabilities  (commonly  called  “zero-day  exploits”)  on  the 
black  market  to  criminals  who  use  them  for  fraud.  Hackers  with  networks  of 
compromised  computers  rent  them  to  other  criminals  who  use  them  to  launch 
coordinated  attacks  against  targeted  individuals  or  businesses,  including  banks  or 
other  institutions  that  manage  financial  information.43 

In  Autumn  2004,  organized  cybercriminals  appear  to  have  infiltrated  the 
computer  systems  of  the  London  offices  of  Sumitomo,  the  Japanese  bank,  in  an 
attempt  to  steal  £220  million.  The  cybercriminals  reportedly  planned  to  transfer  the 
money  to  other  bank  accounts  around  the  world.  Officials  at  the  London  police  fraud 
squad  reportedly  stated  that  Sumitomo  is  the  only  incident  so  far  in  which  an  attack 
by  external  cybercriminals  has  nearly  succeeded  against  a  major  bank.44  Figures  from 


41  The  Global  Business  Security  Index  reports  worldwide  trends  in  computer  security  from 
incidents  that  are  collected  and  analyzed  by  IBM  and  other  security  organizations.  IBM 
press  release,  IBM  Report:  Government,  Financial  Sen’ices  and  Manufacturing  Sectors  Top 
Targets  of  Security  Attacks  in  First  Half  of 2005,  IBM,  August  2,  2005. 

42  Counterpane  Internet  Security,  Attack  Trends  2005,  June  2005, 
[http://www.schneier.com/essay-085.pdf] 

43  Bruce  Schneier,  Attack  Trends:  2004  and  2005,  June  6,  2005, 

[http://www.schneier.com/blog/archives/2005/06/attack_trends_2.html]. 

44  Conal  Walsh,  Terrorism  on  the  cheap  -  and  with  no  paper  trail.  The  Guardian  Observer 
(London),  July  17,  2005. 
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the  National  Hi-Tech  Crime  Unit  in  England  show  that,  in  2003,  at  least  83  per  cent 
of  U.K.  companies  were  targeted  by  hackers  in  attempts  to  seize  control  of  their 
systems.45 

Identity  theft  involving  thousands  of  victims  is  enabled  by  advances  in  computer 
technology,  and  by  poor  computer  security  practices.46  For  example,  MasterCard 
International  reported  that  more  than  40  million  credit  card  numbers  belonging  to 
U.S.  consumers  were  accessed  by  a  computer  hacker  and  were  at  risk  of  being  used 
for  fraud.47  Some  of  these  account  numbers  were  reportedly  being  sold  on  a  Russian 
web  site,  and  some  consumers  have  seen  fraudulent  charges  appear  on  their 
statements.  Officials  at  the  UFJ  bank  in  Japan  reportedly  stated  that  some  of  that 
bank’s  customers  may  also  have  become  victims  of  fraud  related  the  same  theft  of 
MasterCard  information.48 

It  has  been  reported  that  information  about  stolen  credit  cards  and  bank  accounts 
is  now  traded  online  in  a  highly  structured  arrangement,  involving  buyers,  seller, 
intermediaries,  and  service  industries.  These  services  include  offering  to  change  a 
billing  address  of  a  theft  victim,  through  manipulation  of  stolen  PINs  or  passwords. 
Estimates  by  some  observers  are  that,  in  a  highly  profitable  black  market,  each  stolen 
MasterCard  number  can  be  sold  for  between  $42  and  $72. 49 

The  Insider  Threat 

A  2003  study  of  security  incidents,  conducted  by  the  U.S.  Secret  Service  and 
the  Carnegie  Mellon  Software  Engineering  Institute,  found  that  attacks  on  computer 
systems  committed  by  insiders  with  authorized  access,  have  reportedly  cost  industry 


45  Hi-Tech  Crime:  The  Impact  on  U.K.  Business  2005,  2004  Survey, 

[http://www.nhtcu.org/media/documents/publications/8817_Survey.pdf] 

46  On  April  12,  2005,  personal  information,  such  as  Social  Security  Numbers  for  310,000 
U.S.  citizens,  may  have  been  stolen  in  a  data  security  breach  that  involved  59  instances  of 
unauthorized  access  into  its  corporate  databases  using  stolen  passwords.  Boston  College 
reported  in  March  2005  that  a  hacker  had  gained  unauthorized  access  to  computer  database 
records  with  personal  information  for  up  to  106,000  alumni,  and  in  the  same  month,  Chico 
State  University  of  California,  reported  that  its  databases  had  been  breached  containing  the 
names  and  Social  Security  numbers  for  as  many  as  59,000  current  and  former  students. 
David  Bank  and  Christopher  Conkey,  New  Safeguards  for  Your  Privacy,  The  Wall  Street 
Journal,  March  24,  2005,  p.  Dl. 

47  Jonathan  Krim  and  Michael  Barbara,  40  Million  Credit  Card  Numbers  Hacked , 
Washington  Post,  June  18,  2005,  A01.  See  also  the  report  by  the  U.S.  House  of 
Representative  Homeland  Security  Committee,  July  1,  2005,  raising  concerns  about 
potential  ties  between  identity  theft  victims  and  terrorism.  Caitlin  Harrington,  Terrorists 
Can  Exploit  Identity  Theft,  Report  From  House  Democrats  Says,  CQ  Homeland  Security, 
July  1,2005. 

48  BBC  News,  Japan  cardholders  ‘hit’  by  theft,  June  21,  2005, 

[http://news.bbc.co.Uk/l/hi/business/41 14252.stm], 

49  CCRC  staff,  Russia,  Biggest  Ever  Credit  Card  Scam,  Computer  Crime  Research  Center, 
July  8,  2005,  [http://www.crime-research.org/news/08.07.2005/1349/]. 
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millions  of  dollars  in  fraud  and  lost  data.50  Insider  employees  with  access  to  sensitive 
information  systems  can  initiate  threats  in  the  form  of  malicious  code  inserted  into 
software  that  is  being  developed  either  locally,  or  under  offshore  contracting 
arrangements.  For  example,  in  January  2003,  twenty  employees  of  subcontractors 
working  in  the  United  States  at  the  Sikorsky  Aircraft  Corporation  were  arrested  for 
possession  of  false  identification  used  to  obtain  security  access  to  facilities  containing 
restricted  and  sensitive  military  technology.  All  of  the  defendants  pleaded  guilty  and 
have  been  sentenced,  except  for  one  individual  who  was  convicted  at  trial  on  April 
19,  2004. 51 

Links  Between  Terrorism  and  Cybercrime 

Linkages  between  criminal  and  terror  groups  may  allow  terror  networks  to 
expand  and  undertake  large  attacks  internationally  by  leveraging  criminal  sources, 
money,  and  transit  routes.  For  example,  observers  speculate  that  Aftab  Ansari,  a 
criminal  suspect  located  in  Dubai,  used  ransom  money  earned  from  prior  kidnappings 
to  assist  with  funding  for  the  September  11,  2001  terrorist  attacks.  Also,  London 
police  officials  believe  that  terrorists  obtained  the  high-quality  explosives  used  for 
the  2005  bombings  on  an  Eastern  European  black  market.52  The  recent  subway  and 
bus  bombings  in  the  U.K.  also  indicate  that  terrorists  may  be  active  within  other 
countries  that  have  large  computerized  infrastructures,  along  with  a  large,  highly 
skilled  information  technology  workforce.  A  report  by  the  Department  of  Homeland 
Security  (DHS)  predicts  that  other  possible  sponsors  of  terrorist  attacks  against  the 
United  States  homeland  may  include  groups  such  as  Jamaat  ul-Fuqura,  a  Pakistani- 
based  organization  allegedly  linked  to  Muslims  of  America;  Jamaat  al  Tabligh,  an 
Islamic  missionary  organization;  and,  the  American  Dar  Al  Islam  Movement.53 

The  proportion  of  cybercrime  that  can  be  directly,  or  indirectly  attributed  to 
terrorists  is  difficult  to  determine.  For  example,  organized  criminals  use  information 
technology  for  the  movement  of  money  internationally.  Where  criminals  and 
terrorists  work  together,  members  of  terrorist  groups  may  be  given  special  training 
in  computer  software,  or  in  engineering,  to  facilitate  communications  through  the 
Internet.  In-house  financial  specialists  and  experienced  advisors  may  also  knowingly, 
or  sometimes  unknowingly,  help  cybercriminals  evade  the  scrutiny  of  bank  regulators 
and  international  investigators.  These  reportedly  may  include,  accountants,  bank 


50  Marisa  Randazzo,  et.  al.,  Insider  Threat  Study:  Illicit  Cyber  Activity  in  the  Banking  and 
Finance  Sector,  Carnegie  Mellon  Software  Engineering  Institute,  August  2004. 

51  U.S.  Attorneys  Office  District  of  Connecticut,  [http://www.usdoj.gov/usao/ct/attf.html]. 

52  Conal  Walsh,  Terrorism  on  the  cheap  -  and  with  no  paper  trail.  The  Guardian  Observer 
(London),  July  17,  2005.  Rollie  Lai,  Terrorists  and  organized  crime  join  forces, 
International  Herald  Tribune,  May  25,  2005,  [http://www.iht.com/articles/2005/ 
05/23/opinion/edlal.php].  Barbara  Porter,  Forum  Links  Organized  Crime  and  Terrorism, 
By  George!,  Summer  2004,  [http://www2.gwu.edu/~bygeorge/060804/crimeterrorism.html]. 

53  The  DHS  report,  dated  January  2005,  is  entitled  “Integrated  Planning  Guidance,  Fiscal 
Years  2005-201 1 .”  Justin  Rood,  Animal  Rights  Groups  and  Ecology  Militants  Make  DHS 
Terror  List,  Right-Wing  Vigilantes  Omitted,  CQ  Homeland  Security,  March  25, 2005.  Eric 
Lipton,  Homeland  Report  Says  that  Threat  From  Terror-List  Nations  Is  Declining,  The  New 
York  Times,  March  31,  2005,  Section  A,  P.9. 
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employees  in  offshore  zones  and  in  major  financial  centers  who  may  or  may  not  also 
be  terrorists  or  supportive  of  the  political  motives  of  their  clients. 54 

Officials  of  the  U.S.  Drug  Enforcement  Agency  (DEA),  reported  in  2003  that 
14  of  the  36  groups  found  on  the  U.S.  State  Department’s  list  of  foreign  terrorist 
organizations  were  involved  in  drug  trafficking.  Consequently,  DEA  officials 
reportedly  argued  that  the  war  on  drugs  and  the  war  on  terrorism  are  and  should  be 
linked.55  A  2002  report  by  the  Library  of  Congress  Federal  Research  Division, 
revealed  a  “growing  involvement  of  Islamic  terrorist  and  extremists  groups  in  drug 
trafficking”,  and  limited  evidence  of  cooperation  between  different  terrorist  groups 
involving  both  drug  trafficking  and  trafficking  in  arms.56  State  Department  officials, 
at  a  Senate  hearing  in  March  2002,  also  indicated  that  some  terrorist  groups  may  be 
using  drug  trafficking  as  a  way  to  gain  financing  while  simultaneously  weakening 
their  enemies  in  the  West  through  exploiting  their  desire  for  addictive  drugs.57 
Western  Europe  and  North  America  continue  to  be  regions  that  have  major  narcotics 
markets,  optimal  infrastructure,  and  open  commercial  nodes  that  increasingly  serve 
the  transnational  trafficking  needs  of  both  criminal  and  terrorist  groups.58 

Drug  traffickers  are  reportedly  among  the  most  widespread  users  of  computer 
messaging  and  encryption,  and  often  have  the  financial  clout  to  hire  high  level 
computer  specialists  capable  of  using  steganography  (writing  hidden  messages 
contained  in  digital  photographs)  and  other  means  to  make  Internet  messages  hard 
or  impossible  to  decipher.  Access  to  such  high  level  specialists  can  allow  terrorist 
organizations  to  transcend  borders  and  operate  internationally  without  detection. 
Many  highly  trained  technical  specialists  available  for  hire  are  located  in  the 


54  Louise  I.  Shelley  and  John  T.  Picarelli,  Methods  Not  Motives:  Implications  of  the 
Convergence  of  International  Organized  Crime  and  Terrorism,  Police  Practice  and 
Research,  Vol.  3,  No.  4,  2002  p.311,  [http://www.american.edu/traccc/Publications/ 
Shelley%20Pubs/To%20Add/MethodsnotMotives.pdf]. 

55  Authorization  for  coordinating  the  federal  war  on  drugs  expired  on  September  30,  2003. 

For  more  information,  see  CRS  Report  RL32353,  War  on  Drugs:  Reauthorization  of  the 
Office  of  National  Drug  Control  Policy.  Also,  see  D.C.  Prefontaine,  QC  and  Yvon 
Dandurand,  Terrorism  and  Organized  Crime  Reflections  on  cm  Illusive  Link  and  its 
Implication  for  Criminal  Law  Reform,  International  Society  for  Criminal  Law  Reform 
Annual  Meeting  —  Montreal,  August  8  —  12,  Workshop  D-3  Security  Measures  and  Links 
to  Organized  Crime,  August  11,  2004,  [http://www.icclr.law.ubc.ca/Pu 

blications/Reports/International%20Society%20Paper%20of%20Terrorism.pdf]. 

56  Berry,  L.,  Curtis,  G.e.,  Hudson,  R.  A.  and  N.  A.  Kollars.  A  Global  Overview  of 
Ncircotics-Funded  Terrorist  and  Other  Extremist  Groups.  Federal  Research  Division, 
Library  of  Congress.  Washington  (D.C.):  Library  of  Congress,  May  2002. 

57  Rand  Beers  and  Francis  X.  Taylor,  U.S.  State  Department,  Narco-Terror:  The  Worldwide 
Connection  Between  Drugs  and  Terror,  testimony  before  the  U.S.  Senate  Judiciary 
Committee,  Subcommittee  on  Technology,  Terrorism,  and  Government  Information,  March 
13,2002. 

58  Glenn  Curtis  and  Tara  Karacan,  The  Nexus  Among  Terrorists,  Narcotics  Traffickers, 
Weapons  Proliferators,  and  Organized  Crime  Networks  in  Western  Europe,  A  study 
prepared  by  the  Federal  Research  Division,  Library  of  Congress,  December  2002,  p.22, 
[http://www.loc.gov/rr/frd/pdf-files/WestEurope_NEXUS  .pdf] . 
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countries  of  the  former  Soviet  Union  and  in  the  Indian  subcontinent.  Some 
specialists  will  not  work  for  criminal  or  terrorist  organizations  willingly,  but  may  be 
misled  or  unaware  of  their  employers  political  objectives.  Still,  others  will  agree  to 
provide  assistance  because  well-paid  legitimate  employment  is  scarce  in  their 
region.59 

State  Sponsors  of  Terrorists 

The  prospect  of  a  nation-state  supporting  cyberterrorism  activity  is  worrisome. 
However,  in  March  2005,  a  Department  of  Homeland  Security  (DHS)  report 
indicated  that,  of  the  six  nations  currently  listed  by  the  State  Department  as  terrorist 
sponsors,  five  of  them  —  North  Korea,  Sudan,  Syria,  Libya,  and  Cuba  —  are 
described  as  a  diminishing  concern  for  terrorism.  Only  Iran  remains  listed  as  a 
nation-state  possibly  having  a  future  motivation  to  assist  terrorist  groups  in  attacking 
the  United  States  homeland. 

China  is  often  cited  as  providing  government  support  to  computer-hackers.  A 
paper  published  in  1999  authored  by  two  senior  colonels  in  the  Chinese  military 
specifically  discusses  the  need  for  China  to  place  new  emphasis  on  information 
warfare  methods  to  attack  enemy  financial  markets,  civilian  electricity  networks,  and 
telecommunications  networks  by  burying  “...a  computer  virus  and  hacker  detachment 
in  the  opponent’s  computer  systems  in  advance...”  of  launching  the  information 
warfare  network  attacks.60 

Methods  for  conducting  information  warfare,  that  might  involve  secretly 
sponsoring  terrorists,  could  be  used  to  advance  the  goals  of  a  nation  state.  With  this 
in  mind,  DoD  officials  have  acknowledged  that  hackers,  apparently  based  in  China, 
have  been  successfully  penetrating  U.S.  military  networks  since  2001,  and  perhaps 
earlier.  News  report  indicate  that  hackers  have  broken  into  military  networks  at  (1) 
the  U.S.  Army  Information  Systems  Agency,  (2)  the  Naval  Ocean  Systems  Center, 
(3)  the  Defense  Information  Systems  Agency,  and  (4)  the  United  States  Army  Space 
and  Strategic  Defense  installation.  Although  some  of  these  successful  cyberattacks 
were  directed  against  unclassified  networks,  one  intrusion  reportedly  did  obtain  data 
on  a  future  Army  command  and  control  system.61  Although  the  hackers  are 
suspected  to  be  based  in  China,  DoD  and  security  officials  remain  divided  over  (1) 
whether  the  ongoing  cyberattacks  are  coordinated  or  sponsored  by  the  Chinese 
government,  (2)  whether  they  are  the  work  of  individual  and  independent  hackers, 
or  (3)  whether  the  cyberattacks  are  being  initiated  by  some  third-party  organization 
that  is  using  network  servers  in  China  to  disguise  the  true  origins  of  the  attacks. 


59  Louise  Shelly,  Organized  Crime,  Cybercrime  and  Terrorism,  Computer  Crime  Research 

Center,  September  27,  2004,  [http://www.crime-research.org/articles/Terro 

rism_Cybercrime/] . 

60  Qioa  Lang  and  Wang  Xiangsui,  Unrestricted  Warfare,  Beijing:  PLA  Literature  and  Arts 
Publishing  House,  February  1999. 

61  Frank  Tiboni,  The  New  Trojan  War,  Federal  Computer  Week,  August  22,  2005,  p.60. 

Nathan  Thornburgh,  Inside  the  Chinese  Hack  Attack,  August  25,  2005, 

[http://www.time.com/time/nation/printout/0,88 16, 109837  L00.html]. 
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U.S.  Efforts  to  Prevent  Cybercrime 

To  improve  cybersecurity  for  federal  agencies  and  the  critical  infrastructure,  the 
Office  of  Management  and  B  udget  (OMB )  has  created  a  task  force  to  investigate  how 
agencies  can  better  coordinate  cybersecurity  functions  such  as  training,  incident 
response,  disaster  recovery,  and  contingency  planning.  The  U.S.  Department  of 
Homeland  Security  has  also  created  a  new  National  Cyber  Security  Division  that  will 
focus  on  reducing  vulnerabilities  in  the  government’ s  computing  networks,  and  in  the 
private  sector  to  help  protect  the  critical  infrastructure.62 

Officials  at  DHS  and  the  Department  of  Justice  (DoJ)  have  announced  plans  to 
survey  36,000  U.S.  businesses  in  2005  to  measure  the  type  and  frequency  of 
computer  security  incidents.  The  survey  will  provide  the  first  and  only  statistically 
valid  measure  of  trends  in  computer  security  using  national  data  on  cybercrime, 
including  U.S.  businesses  in  all  sectors  of  the  civilian  critical  infrastructure.63  The 
DHS  National  Cyber  Security  Division  (NCSD)64,  and  the  National  Cyber  Response 
Coordination  Group  (NCRCG)65  have  also  announced  plans  to  conduct  a  national 
cybersecurity  preparedness  and  response  exercise,  called  Cyber  Storm,  also 
scheduled  for  winter  2005. 

In  August  2005,  DoD  Directive  3020.40,  the  “Defense  Critical  Infrastructure 
Program,”  assigned  functional  responsibility  within  DoD  for  coordinating  with  public 
and  private  sector  services  for  protection  of  defense  critical  infrastructures  from 
terrorist  attacks,  including  cyberattack.66  DoD  also  announced  the  formation  of  the 
Joint  Functional  Component  Command  for  Network  Warfare  (JFCCNW)  which  has 
responsibility  for  defending  all  DoD  computer  systems.  The  expertise  and  tools  used 
in  this  mission  are  for  both  offensive  and  defensive  operations.67 

Security  vendors  have  learned  that  to  combat  cybercrime  more  effectively,  it 
must  be  treated  as  a  global  problem.  Many  of  these  security  vendors  have  created 
their  own  independent  advance-warning  systems  through  linking  proprietary  security 
equipment  into  global  networks  that  share  information  collected  by  their  distributed 


62  Jason  Miller,  New  Cybersecurity  Team  Meets  this  Week,  Government  Computer  News, 
March  21,  2005.  Grant  Gross,  Homeland  Security  to  Oversee  Cybersecurity,  PC  World, 
June  9,  2003,  [http://www.pcworld.eom/news/article/0.aid,  1 1 1066,00.asp]. 

63  Dibya  Sarkar,  DHS,  DOJ  plan  cybercrime  survey,  FCW.com,  January  13,  2005, 
[http://www.fcw.com/fcw/articles/2005/01 10/web-survey-01- 13-05.  asp]. 

64  The  NCSD  is  the  focal  point  for  the  federal  government’s  interaction  with  state  and  local 
government,  the  private  sector,  and  the  international  community  concerning  cyberspace 
vulnerability  reduction  efforts. 

65  The  NCRCG  is  a  forum  of  13  principal  agencies  that  coordinates  intra-governmental  and 
public/private  preparedness  operations  to  respond  to  and  recover  from  large-scale 
cyberattacks. 

66  The  Defense  Critical  Infrastructure  is  defined  as  those  DoD  and  non-DoD  networked 
assets  essential  to  project,  support,  and  sustain  military  forces  and  operations  worldwide. 

67  John  Lasker,  U.S.  Military’s  Elite  Hacker  Crew,  Wired  News,  April  18,  2005, 
[http://www.wired.eom/news/print/0, 1294.67223.00.html]. 
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customer  base.  One  example  is  an  early-warning  cyber- security  intrusion  program 
that’s  composed  of  a  global  network  of  19,000  firewall  and  intrusion-detection 
devices  maintained  by  thousands  of  volunteer  data  partners.  This  early  intrusion 
system  correlates  global  data  to  detect  the  start  of  a  possible  swarming  Internet  attack 
originating  simultaneously  in  different  parts  of  the  world,  and  notifies  administrators 
to  help  them  defend  their  systems  when  targeted.68  A  similar  public/private 
partnership  security  warning  program  was  created  through  the  Cyber  Incident 
Detection  Data  Analysis  Center  (CIDDAC)69.  In  2005,  CIDDAC  will  install  special 
sensors  on  the  networks  of  participating  partner  companies  to  automatically  detect 
cyberattacks  and  notify  administrators  and  law  enforcement. 

International  Efforts  to  Prevent  Cybercrime 

Cybercrime  is  a  major  international  challenge,  however  attitudes  about  what 
composes  a  criminal  act  of  computer  wrongdoing  may  still  vary  from  country  to 
country.  The  European  Union  has  set  up  the  Critical  Information  Infrastructure 
Research  Coordination  Office  (CI2RCO),  which  is  tasked  to  examine  how  its 
member  states  are  protecting  their  critical  infrastructures  from  possible  cyberattack. 
The  project  will  identify  research  groups  and  programs  focused  on  IT  security  in 
critical  infrastructures. 

The  Convention  on  Cybercrime  was  adopted  in  2001  by  the  Council  of  Europe, 
a  consultative  assembly  of  43  countries,  based  in  Strasbourg.  The  Convention, 
effective  July  2004,  is  the  first  and  only  international  treaty  to  deal  with  breaches  of 
law  “over  the  internet  or  other  information  networks”.  The  Convention  requires 
participating  countries  to  update  and  harmonize  their  criminal  laws  against  hacking, 
infringements  on  copyrights,  computer  facilitated  fraud,  child  pornography,  and  other 
illicit  cyber  activities.70  To  date,  eight  of  the  42  countries  that  signed  the  Convention 
have  completed  the  ratification  process. 

Although  the  United  States  has  signed  the  Convention,  it  did  not  sign  a 
complementary  protocol  that  contained  provisions  to  criminalize  xenophobia  and 
racism  on  the  Internet,  which  would  likely  not  be  supported  by  the  U.S. 
Constitution.71  The  complementary  protocol  could  be  interpreted  as  requiring  nations 
to  imprison  anyone  guilty  of  “insulting  publicly,  through  a  computer  system”  certain 


68  Paul  Roberts,  Symantec  Offers  Early  Warning  of  Net  Threats,  PCWorld,  February  12, 
2003,  [http://www.pcworld.eom/news/article/0.aid,  109322,00.asp]. 

69  CIDDAC  is  a  not-for-profit  organization  that  combines  private  and  government 
perspectives  to  facilitate  automated  real-time  sharing  of  cyberattack  data.  CIDDAC  is 
specifically  designed  to  protect  privacy  rights  while  collecting  cyber  threat  information  from 
sensors  attached  to  corporate  computer  networks. 

Full  text  for  the  Convention  on  Cyber  Crime  may  be  found  at 
[http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CM=8&DF= 
18/06/04&CL=ENG]. 

71  The  U.S.  Senate  Committee  on  Foreign  Relations  held  a  hearing  on  the  Convention  on 
June  17,  2004.  CRS  Report  RS21208,  Cybercrime:  The  Council  of  Europe  Convention. 
Estelle  Durnout,  Council  of  Europe  ratifies  cybercrime  treaty,  ZDNet,  March  22,  2004, 
[http://news.zdnet.co.Uk/business/legal/0.3902065 1 ,39 149470.00.htm] . 
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groups  of  people  based  on  characteristics  such  as  race  or  ethnic  origin,  a  requirement 
that  could  make  it  a  crime  to  e-mail  jokes  about  ethnic  groups  or  question  whether 
the  Holocaust  occurred.  The  Department  of  Justice  has  said  that  it  would  be 
unconstitutional  for  the  United  States  to  sign  that  additional  protocol  because  of  the 
First  Amendment’s  guarantee  of  freedom  of  expression.  The  Electronic  Privacy 
Information  Center,  in  a  June  2004  letter  to  the  Foreign  Relations  Committee, 
objected  to  U.S.  ratification  of  the  Convention,  because  it  would  “would  create 
invasive  investigative  techniques  while  failing  to  provide  meaningful  privacy  and 
civil  liberties  safeguards.”72  However,  a  coalition  of  U.S.  industry  associations, 
including  the  Business  Software  Alliance,  the  Cyber  Security  Industry  Alliance,  the 
American  Bankers  Association,  the  Information  Technology  Association  of  America, 
InfraGard,  Verisign,  and  several  others,  have  urged  the  U.S .  Senate  Foreign  Relations 
Committee  to  recommend  ratification  of  the  Convention.73 

The  Bush  Administration  submitted  the  Convention  on  Cybercrime  (Treaty  Doc. 
108-11)  to  the  Senate  for  hearings  and  resolution  in  November  2003.  On  July  26, 
2005,  the  U.S.  Senate  Foreign  Relations  Committee  approved  the  signed  Convention, 
clearing  the  way  for  a  floor  vote  later  in  the  year.  A  report  from  the  Senate  Foreign 
Relations  Committee  is  expected  to  be  published  before  the  end  of  the  current  session 
of  Congress. 


Analysis  and  Policy  Issues 

Computer  security  experts  disagree  about  whether  a  widespread  coordinated 
cyberattack  by  terrorists  is  a  near-term  or  long-term  possibility.  However,  terrorists 
have  repeatedly  demonstrated  a  willingness  to  plan  and  launch  conventional  attacks 
against  targets  that  have  easy  accessibility  and  numerous  vulnerabilities.  Internet  and 
computer  system  vulnerabilities  are  persistent  and  widely  publicized.  As  technology 
continues  to  advance,  the  capability,  reliance,  and  interdependent  nature  of  computer 
systems  likely  will  be  more  vulnerable  to  cyberattack  tools  that  are  becoming  faster 
and  more  sophisticated.  Terrorists  may  also  be  developing  links  with  cybercriminals 
that  will  give  them  access  to  high-level  computer  skills.  The  time  may  be 
approaching  when  a  cyberattack  may  offer  advantages  that  cause  terrorists  to  act, 
even  if  the  probability  of  success,  or  level  of  effectiveness,  is  unknown.  Similar  to 
terrorists  reconnaissance  of  physical  targets  to  assess  the  level  of  security  prior  to  an 
attack,  it  is  suggested  that  the  U.S.  may  experience  a  number  of  small  cyber  intrusion 
events  prior  to  an  attempt  at  a  larger  more  devastating  attack. 

One  issue  is  whether  DHS  has  done  enough  to  strengthen  computer  security  for 
civilian  federal  agencies  and  for  the  private  sector.  In  July  2005,  DHS  Secretary 
Michael  Chertoff  announced  creation  of  the  new  position  of  Assistant  Secretary  for 


72  [http://www.epic.org/privacy/intl/senateletter-06 1704.pdf] . 

73  Patience  Wait,  Industry  Groups  urge  Senate  ratification  of  cybercrime  treaty, 

Government  Computer  News,  June  6,  2005,  [http://appserv.gcn.com/voll_nol/web/362 
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8462.html?tag=st.util.print] . 


CRS-18 


Cyber  and  Telecommunications  Security.  In  doing  so  he  acknowledged  both  the 
efficiencies  and  vulnerabilities  of  modem  technology  upon  which  so  much  of  society 
now  depends.74  Many  cybersecurity  observers  hope  that  by  elevating  the  DHS  Cyber 
Security  Officer  from  a  Division  Director  to  an  Assistant  Secretary  level  position,  the 
new  senior  official  will  become  a  more  effective  proponent  of  federal  government 
efforts  to  address  and  manage  information  technology  vulnerabilities,  incident 
response  programs,  and  remediation  efforts. 

DHS  is  also  supporting  efforts  to  encourage  U.S.  computer  systems  to  change 
to  the  new,  reportedly  more  secure,  IPV6  Internet  Protocol.77  Despite  these  efforts, 
according  to  GAO  officials,  DHS  does  not  have  an  Internet  recovery  plan,  or  a 
national  cybersecurity  threat  assessment.  DHS  officials  have  stated  that  a  draft 
cybersecurity  threat  evaluation  plan  will  be  available  in  late  2005,  but  a  finalized 
cybersecurity  plan  that  pinpoints  the  nations’s  weakest  security  links  will  likely  not 
be  available  until  2006. 76  Leaders  of  the  Senate  Committee  on  Homeland  Security 
and  Governmental  Affairs,  Subcommittee  on  Financial  Management,  Government 
Information  and  International  Security,  reportedly  have  stated  that  DHS  does  not 
have  a  robust  way  to  detect  a  coordinated  attack  against  the  critical  infrastructure.77 

Security  vulnerabilities  found  in  the  Internet  and  in  critical  infrastructure 
computer  systems  are  widely  publicized.  Many  experts  are  concerned  that  private 
sector  cyber- security  firms  do  not  notify  DHS  or  their  customers  immediately  upon 
recognition  of  a  potentially  serious  Internet  security  vulnerability.  If  hackers  become 
aware  of  this  vulnerability,  observers  speculate  that  these  individuals  could  disable 
portions  of  the  Internet,  or  successfully  disrupt  selected  portions  of  the  U.S.  or 
international  critical  infrastructure.  This  raises  the  following  questions: 

•  Should  vendors  of  computer  products  be  required  to  quickly  report 
all  serious,  newly  discovered  product  vulnerabilities  to  DHS? 

•  Should  computer  service  providers  or  businesses  be  required  to 
report  to  DHS  any  major  security  vulnerabilities  that  have  been 
newly  exploited  by  cybercriminals? 

•  Should  there  be  penalties  if  an  organization  has  a  poor  security 
policy  that  contributes  to  a  major  loss  of  sensitive  information? 


74  Secretary  Michael  Chertoff,  U.S.  Department  of  Homeland  Security,  Second  Security 

Stage  Review  Remarks,  July  13,  2005,  [http://www.dhs.gov/dhspublic 

/interapp/speech_0255  .xml] . 

75  IPV6  is  the  designation  for  a  newer,  more  secure  communications  protocol  for  the 
Internet.  For  more  information,  see  CRS  Report  RL32411:  Network  Centric  Warfare: 
Background  and  Oversight  Issues  for  Congress. 

76  Wilson  Dizard,  Cybersecurity  plans  wait  for  DHS  to  complete  its  evaluation  of  threats, 
Government  Computer  News,  July  25,  2005,  vol.24,  No.20. 

77  Grant  Gross,  Senators  Call  on  DHS  to  Improve  Cybersecurity  Efforts,  Symantec, 
[http://enterprisesecurity.symantec.com/publicsector/article.cfm?articleid=5862&EID=0]. 
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Some  actions  are  underway  that  Congress  may  consider.78  For  example,  on 
September  30,  2005,  an  interim  rule  was  issued  by  the  Federal  Acquisition 
Regulations  Council,  outlining  several  new  steps  acquisition  workers  must  take  to 
ensure  FT  security  is  incorporated  into  all  federal  purchases.  Under  this  interim  rule, 
government  contracting  officers  must  include  additional  cybersecurity  rules  in  their 
acquisition  planning,  which  will  require  vendors  to  improve  computer  security  for 
the  FT  products  and  services  they  supply  to  the  federal  government.79 

Experts  now  believe  that  terrorist  collaborate  with  organized  crime  networks  in 
the  Middle  East  for  international  smuggling  of  arms  and  illegal  drugs.  Criminal  drug 
traffickers  can  provide  terrorists  with  access  to  computer  specialists  with  high-level 
technical  skills.  What  are  the  pro’s  and  con’s  of  linking  counterterrorism  efforts 
more  closely  to  the  efforts  of  agencies  that  counter  drug  trafficking? 

Should  the  counterterrorism  efforts  be  linked  more  closely  with  international 
efforts  to  prevent  cybercrime?  What  are  effective  ways  to  encourage  more 
international  cooperation  for  identifying  which  activities  should  be  labeled  as 
cybercrime,  and  for  punishing  those  who  operate  as  cybercriminals? 

Security  experts  have  reportedly  stated  that,  although  U.S .  military  networks  are 
relatively  secure,  many  of  those  networks  remain  highly  dependent  on  the  civilian 
communications  infrastructure.80  Should  DoD  collaborate  more  closely  with  DHS 
for  new  technologies  to  strengthen  the  computer  security  of  civilian  agencies  and 
infrastructure? 

Trends  for  cybercrime  indicate  that  computer  attacks  could  increase  in  number, 
speed,  and  sophistication.  Will  future  unknown  computer  vulnerabilities  and 
sophisticated  attacks  allow  terrorist  to  launch  an  effective  cyberattack  that  might 
overwhelm  the  ability  of  civilian  agencies  to  respond  effectively?  Could  a  new 
approach  to  computer  security  reduce  vulnerabilities?  An  example  of  a  new 
approach  to  improve  computer  security  for  computer  systems  and  the  Internet  might 
include  development  and  refinement  of  quantum  methods  for  unbreakable 
cryptography.81  However,  new  approaches  to  computer  security  could  also  lead  to 
the  emergence  of  new  threats  directed  against  new  vulnerabilities.  For  example,  the 


78  See  National  Institute  of  Standards  and  Technology  web  site  for  Federal  Agency  Security 
Practices,  [http://csrc.nist.gov/fasp/] . 

79  Jason  Miller,  IT  security  requirements  now  part  of  the  FAR,  Government  Computer 
News,  September  30,  2005,  [http://www.gcn.com/voll_nol/daily-updates/37162-l.html]. 
Federal  Register,  September  30,  2005,  Vol70,  No.  189,  Pg.  57449-57452. 

80  Barton  Reppert,  remarks  made  by  Clifford  Lau,  July  26,  2005,  at  the  Rayburn  House 
Office  Building,  subsequent  to  a  hearing  by  the  House  Science  Committee. 

81  Quantum  cryptography:  In  the  microscopic  world,  once  a  system  is  observed,  it  is 
inevitably  affected  and  changes  into  another  state  (Heisenberg’s  Uncertainty  Principle).  By 
incorporating  the  fact  that  weak  light  behaves  as  “photons”  subject  to  this  law,  quantum 
cryptography  is  an  unbreakable  cryptography  with  the  photons  becoming  the  information 
carriers,  or  information  cameras.  Press  Release,  Mitsubishi  Electric,  2002, 
[http://global.mitsubishielectric.com/news/news_releases/2002/mel0560_b.html]. 
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proliferation  and  use  of  commercial  products  with  unbreakable  cryptography  could 
seriously  undermine  the  ability  of  law  enforcement  to  perform  critical  missions  such 
as  protecting  against  threats  posed  by  terrorists,  organized  crime,  and  foreign 
intelligence  agents. 


Related  Legislation 

The  following  bills  are  related  to  improving  national  computer  security,  or  the 
prevention  of  cybercrime: 

•  H.R.  285.  On  January  6,  2005,  the  Department  of  Homeland 
Security  Cybersecurity  Enhancement  Act  of  2005  was  introduced  by 
Representative  Mac  Thomberry.  The  bill  proposes  to  amend  the 
Homeland  Security  Act  of  2002  to  enhance  cybersecurity  by  creating 
a  new  Directorate  for  Information  Analysis  and  Infrastructure 
Protection  in  a  National  Cybersecurity  Office,  headed  by  an 
Assistant  Secretary  for  Cybersecurity,  who  shall  assist  the  Secretary 
in  promoting  cybersecurity  for  the  Nation.  The  bill  also  proposes 
appropriate  measures  for  the  recovery  of  the  cybersecurity  elements 
of  critical  infrastructure.  Referred  to  the  House  Committee  on 
Homeland  Security,  Subcommittee  on  Economic  Security, 
infrastructure  Protection,  and  Cybersecurity,  February  18,  2005. 
Forwarded  by  the  Subcommittee  to  the  Full  House  Committee  on 
Homeland  Security,  April  20,  2005. 

•  S.  768.  On  April  12,  2005,  the  Comprehensive  Identity  Theft 
Prevention  Act  was  introduced  by  Senator  Charles  Schumer.  The 
bill  proposes  to  establish  in  the  Federal  Trade  Commission  (FTC)  an 
Office  of  Identity  Theft  to  coordinate  international  responses  to 
identify  theft  and  development  of  best  practices  to  protect 
consumers.  The  bill  also  proposes  to  amend  the  Homeland  Security 
Act  of  2002  to  establish  in  the  Directorate  for  Information  Analysis 
and  Infrastructure  Protection  of  the  Department  of  Homeland 
Security(DHS)  a  National  Cybersecurity  Office  to  assist  in 
promoting  cybersecurity  for  the  United  States,  and  to  grant  the 
Assistant  Secretary  for  Cybersecurity  primary  authority  for  all 
cyber  security-related  critical  infrastructure  programs  of  DHS.  On 
April  12,  2005,  the  bill  was  referred  to  the  Senate  Committee  on 
Commerce,  Science,  and  Transportation. 

•  H.R.  1817.  Introduced  on  April  26,  2005,  by  Representative 
Christopher  Cox,  this  bill  proposes  to  authorize  appropriations  for 
fiscal  year  2006  for  the  Department  of  Homeland  Security,  and 
establish  in  DHS  an  Assistant  Secretary  for  Cybersecurity  appointed 
by  the  President.  Referred  jointly  and  sequentially  to  the  House 
Committee  on  Energy  and  Commerce,  the  House  Committee  on 
Government  Reform,  House  Committee  on  the  Judiciary ,  the  House 
Committee  on  Science,  the  House  Committee  on  Transportation  and 
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Infrastructure,  the  House  Committee  on  Ways  and  Means,  the 
House  Committee  on  Intelligence,  May  3,  2005.  Reported 
(Amended)  by  the  Committee  on  Energy  and  Commerce.(  H.  Rept. 
109-71,  Part  II.),  and  the  Committee  on  Judiciary  (H.  Rept.  109-71, 
Part  HI),  May  13,  2005.  On  passage  Passed  by  recorded  vote:  424 
-  4  (Roll  no.  189),  May  18,  2005.  Received  in  the  Senate  and 
referred  to  the  Senate  Committee  on  Homeland  Security  and 
Governmental  Affairs,  May  18,  2005. 

•  H.R.  3109.  Introduced  on  June  29,  2005,  by  Representative  Sheila 
Jackson-Lee,  this  bill  proposes  to  authorize  the  Secretary  of 
Homeland  Security  to  establish  a  program  to  award  grants  to 
institutions  of  higher  education  for  the  establishment  or  expansion 
of  cybersecurity  professional  development  programs.  Referred  to 
the  House  Committee  on  Science,  and  to  the  Committee  on 
Education  and  the  Workforce,  and  the  Committee  on  Homeland 
Security,  June  29,  2005. 

•  H.R.  744.  Introduced  on  February  10,  2005,  by  Representative  Bob 
Goodlatte,  this  bill  proposes  to  amend  title  18,  United  States  Code, 
to  discourage  spyware,  and  expresses  the  sense  of  Congress  that  the 
Department  of  Justice  should  vigorously  prosecute  those  who  use 
spyware  to  commit  crimes,  and  those  that  conduct  phishing  or 
pharming  scams.  Reported  by  the  House  Committee  on  Judiciary 
(H.  Rept.  109-93)  May  23  2005.  Passed  by  the  House  (395-1)  May 
23,  2005.  Received  in  the  Senate  and  referred  to  the  Senate 
Committee  on  the  Judiciary,  May  24,  2005. 


